{"id":2862,"date":"2025-04-22T07:30:00","date_gmt":"2025-04-22T07:30:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2862"},"modified":"2025-04-22T07:30:00","modified_gmt":"2025-04-22T07:30:00","slug":"security-leaders-shed-light-on-their-zero-trust-journeys","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2862","title":{"rendered":"Security leaders shed light on their zero trust journeys"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Zero trust has become a bellwether for access management across the security industry. But while security chiefs have by and large embraced the approach \u2014 founded on the philosophy that no person or computing entity should be trusted<\/a> inside or outside the organization\u2019s network \u2014 not every organization has completed its journey.<\/p>\n

Nearly two-thirds (63%) of organizations worldwide have implemented a zero-trust strategy to some extent, according to a 2024 survey<\/a> from research firm Gartner. Many of those (58%), however, are just starting on this path, with less than 50% of their environments covered by zero trust.<\/p>\n

\u201cThe majority of organizations have a strategy in place,\u201d says John Watts, vice president analyst and key initiative leader at Gartner. But, Watts notes, many security leaders are still just piloting the enabling technologies and building out the necessary architecture as they work to overcome roadblocks.<\/p>\n

To help you better understand the components, complexities, and challenges<\/a> that come with such an undertaking, security chiefs share their experiences on the road to zero trust.<\/p>\n

Getting the business to embrace change<\/h2>\n

For Mary Carmichael, the zero-trust journey is as much about changing culture as it is about evolving an organization\u2019s security infrastructure.<\/p>\n

Carmichael, who was hired two years ago as a consultant at a Canadian regulatory agency, saw right away the need to improve the agency\u2019s security posture, which included many remote workers handling sensitive data, much of which was provided by the entities it regulates.<\/p>\n

The agency, like many organizations, had a security infrastructure that for the most part trusted entities \u2014 people, devices, and applications \u2014 once they were within the tech environment, Carmichael says.<\/p>\n

\u201cIt was: Once you log into the network, you\u2019re trusted. But zero trust is about validating all along the way. That is a big change,\u201d says Carmichael, director of strategy, risk, and compliance advisory at Momentum Technology and a member of the Emerging Trends Working Group at professional governance association ISACA.<\/p>\n

The agency had a base-level identity and access management (IAM)<\/a> capability but neither multi-factor authentication (MFA)<\/a> nor privileged access management (PAM)<\/a> in place \u2014 two key technologies involved in zero trust architectures. It also did not have the tools to track an entity\u2019s movement within the environment so there was no way to challenge an entity\u2019s access to every system it tried to use, Carmichael says.<\/p>\n

And while the agency at one point had created identities and paired them with appropriate levels of access, it had experienced \u201caccess creep, because there was no governance and, when people left organization, there was a delay in getting people out of the identity management system,\u201d Carmichael explains.<\/p>\n

But to begin tackling the agency\u2019s security posture, Carmichael first had to provide stakeholders a shared definition of zero trust and a persuasive reason for investing in the required work. Only then could she educate the agency on the technological pieces necessary to create zero trust, such as network segmentation, PAM, and MFA, and the process changes that would be needed to enable it.<\/p>\n

Nick Puetz, managing director in charge of the cyber strategy practice at consultancy Protiviti, says Carmichael\u2019s journey mirrors that of most organizations, which often have various components of zero trust in place before they formally adopt the approach but not working in concert. Using a zero-trust framework can help.<\/p>\n

\u201cIt\u2019s a way to bring all the moving parts together,\u201d he says.<\/p>\n

As Carmichael moved the agency along its zero-trust journey, her top hurdle was getting the business to embrace change.<\/p>\n

With zero trust, business leaders and HR have significant work to do around creating and governing identities and establishing the appropriate level of access for each identity, Carmichael says. And they have to take responsibility for getting that work right \u2014 and governing it on an ongoing basis.<\/p>\n

That\u2019s an organizational change, she emphasizes, which is why organizational change management<\/a> and senior-level sponsorship are critical for a successful shift to zero trust.<\/p>\n

Focusing on \u201cvalue at risk\u201d \u2014 what would happen if hackers accessed sensitive data to create urgency for change \u2014 helped drive support for zero trust among her business stakeholders. So, too, did education and training, Carmichael adds.<\/p>\n

\u201cMoving to zero trust involves so many different groups and process changes and people. I don\u2019t think people are aware of the extent of the needed changes when it comes to zero trust,\u201d she says.<\/p>\n

Balancing usability with security<\/h2>\n

When Niel Harper was CISO at the United Nations Office for Project Services, he faced a daunting task: ensuring security for an organization with 8,000 users spread across the globe, many of whom worked out in the field far from its offices in Copenhagen, Geneva, and New York City.<\/p>\n

In response, Harper launched the organization on its zero-trust journey during his 2019-2022 tenure.<\/p>\n

Like Carmichael, Harper started by examining the organization\u2019s network, devices, applications, workloads, data, and identities to understand where granular controls could and should be placed. He also had to determine, based on business objectives and critical assets, what technical components and process changes would be needed to move from implicit to zero trust.<\/p>\n

\u201cLet\u2019s define our crown jewels; those are typically 2% to 10% of your data or assets. Identify them and classify them \u2014 critical, high value, confidential, strictly confidential. That gives you a better idea of what you want to protect,\u201d he says. \u201cThen look at the technology investments that best align with those objectives you defined to get a prioritized set of assets you want to protect.\u201d<\/p>\n

Harper also took time in advance to identify quick wins and areas where zero trust might not be feasible \u2014 such as with legacy tech.<\/p>\n

In implementing his strategy, Harper took an incremental approach.<\/p>\n

\u201cI don\u2019t think zero trust is well suited for a big bang; it\u2019s too disruptive,\u201d he says, adding that he convened user groups early in the journey.<\/p>\n

\u201cA zero-trust architecture introduces additional friction, because it\u2019s continually verifying people\u2019s access, who they are, their permissions, and that friction can be frustrating for users,\u201d he says. \u201cSo we had focus groups and cross-functional teams from the business with representation from users, so we could explain our objectives and [users could share] their pain points and concerns, so as we implemented controls, we could still have a strong user experience. You don\u2019t want to degrade the quality of experience for users. You always have to balance usability with security.\u201d<\/p>\n

To move forward, Harper\u2019s team first implemented controls in the offices, starting with those quick wins. Those included implementing MFA and technology to enforce conditional access.<\/p>\n

Harper then devised a roadmap that would address more complex implementations that could continue after he left the organization.<\/p>\n

Harper, who is now CISO and global data protection officer at software company Doodle as well as ISACA board vice chair, says he is taking a similar approach as he advances a zero-trust model at his new company.<\/p>\n

\u2018People, process, and systems coming together\u2019<\/h2>\n

A 2021 hack put OHLA USA and its CIO, Srivatsan Raghavan, on the zero-trust journey. The incident, Raghavan explains, highlighted the fact that the security measures that had been in place \u201ccollectively put together were inadequate.\u201d<\/p>\n

\u201cWe went through several years where we had no incidents at all, so we thought we were doing something right. I wouldn\u2019t call it overconfidence, but it was a feeling of validation,\u201d Raghavan says.<\/p>\n

The breach challenged that validation and gave the company \u201ca stepping stone to do better, because with zero trust, there is a belief that [security] tools are not enough. It\u2019s people, process, and systems coming together\u201d<\/p>\n

Raghavan, who oversees security, and his team started with self-examination: \u201cWe had to think about how we were operating on a daily basis. You put all that on the table, and you reflect on it.\u201d<\/p>\n

He says that showed him the need to add more controls \u2014 as is typically the case for an organization as it builds a zero-trust security environment \u2014 as well as the need to break down siloes.<\/p>\n

\u201cWe had to destroy all those siloes in the organization for IT to become a better IT team and have a better understanding of the whole business,\u201d he says.<\/p>\n

To help with that, Raghavan created a framework by combining ones from the National Institute of Standards and Technology (NIST) and Microsoft. His custom framework enables his team to bucket and tackle projects as they advance the company\u2019s zero-trust journey. And the framework helps them evaluate how well the company does with identifying, protecting, detecting, responding to, and recovering from potential intrusions and incidents in specific areas.<\/p>\n

Puetz, the Protiviti managing director, says many organizations find value in zero trust for similar reasons. \u201cZero trust allows CISOs to break their strategy into bite-size pieces and to explain where the cybersecurity program is and where it needs to go,\u201d he adds.<\/p>\n

Raghavan has made significant progress in maturing his zero-trust program.<\/p>\n

For example, he eliminated the use of a wide-area network (WAN) and replaced it with cloud-based controls including an always-on VPN, a mobile device management (MDM) solution, MFA, and conditional-access capabilities.<\/p>\n

He also dropped titles such as server manager and network engineer, saying \u201cwe didn\u2019t want those buckets anymore,\u201d and shifted to senior technologist and junior technologist to break down siloes.<\/p>\n

\u201cWe didn\u2019t want to draw lines around responsibilities. We want to reflect the interdependency of work,\u201d adds Raghavan, who became a Certified Information Security Manager (CISM)<\/a><\/em> during this journey.<\/p>\n

Raghavan says the zero-trust philosophy puts his company \u2014 a large construction company that espouses \u201cThink Safety. Always.\u201d \u2014 on a safer security path as it adopts more automation and artificial intelligence.<\/p>\n

\u201cZero trust is going to make it easier to manage security and get more granular with controls. Zero trust is all about managing IT as granularly as possible,\u201d he adds. \u201cThat\u2019s strategically where we\u2019re going, looking at every business process to look for deficiencies and vulnerabilities and then find ways to strengthen them by applying the principles of zero trust to how we operate our business.\u201d<\/p>\n

More on zero trust:<\/strong><\/p>\n

What is zero trust? The security model for a distributed and risky era<\/a><\/p>\n

7 tenets of zero trust explained<\/a><\/p>\n

5 practical recommendations for implementing zero trust<\/a><\/p>\n

6 zero trust myths and misconceptions<\/a><\/p>\n

5 steps toward real zero trust security<\/a><\/p>\n

5 areas where zero trust can\u2019t protect your organization<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Zero trust has become a bellwether for access management across the security industry. But while security chiefs have by and large embraced the approach \u2014 founded on the philosophy that no person or computing entity should be trusted inside or outside the organization\u2019s network \u2014 not every organization has completed its journey. Nearly two-thirds (63%) […]<\/p>\n","protected":false},"author":0,"featured_media":2863,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2862","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2862"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2862"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2862\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2863"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2862"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2862"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2862"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}